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FD-1057 (Rev. 5-8-10) 


Title: (U) To request case be opened Date: 03/06/2017 


el 


From: ATLANTA b3 
AT-CY1 b6 


contact: sa] bic 
b7E 
approved my: sa] = | 


KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


Synopsis: (U) To request case be opened and assigned to the writer. 


Details: 


On March 1, 2017, a professor at Kennesaw State University ("KSU") 
was contacted by an Atlanta-based security firm about an alleged b7E 
vulnerability in the KSU website elections.kennesaw.edu that contains 
voter registration information for counties across the state of 
Georgia. The Atlanta-based security firm was contacted by a security 
researcher that found the vulnerability and was able to exploit the 
vulnerability. This allowed the security researcher to obtain the voter 


registration information. The professor immediately notified KSU's 


Chief Information Security Officer ("CISO") about the potential 


vulnerability. 


KSU notified the FBI about the incident. On March 3, 2017, the FBI 


met with members of the KSU to discuss the incident. 


Based on the above information, the writer requests af 
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Re: 03/06/2017 
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FD-941 (2-26-01) 


CONSENT TO SEARCH COMPUTER(S) 


La. Stephen. Es Gay sss have been asked by Special Agents of the 
Federal Bureau of Investigation (FBI) to permit a complete search by the FBI or its designees of any and all computers, 
any electronic and/or optical data storage and/or retrieval system or medium, and any related computer peripherals. 


described below: 


Dell Real. ROIS, iex Tag! FETIFOL 00 


CPU Make, Mode? & Serial Number (if ) ( 


Storage or Retrieval Media, Computer Peripherals 


control, and/or have access to. for any evidence of a crime or other violation of the law. The required passwords, logins. 


and/or specific directions for computer entry are as follows: 


I have been advised of my right to refuse to consent to this search. and I give permission for this search. freely 
and voluntarily. and not as the result of threats or promises of any kind. 
I authorize those Agents to take any evidence discovered during this search, together with the medium in/on which 


it is stored. and any associated data. hardware. software and computer peripherals. 


3-3-17 


Date 
3-37 
Date b3 
b6 
b7c 
b7E 


Location 


Af 3/7/11 


pa 2 of 15 
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FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/10/2017 


date was interviewed at his 
residence located at 


advised of the identity of the interviewing Agents and the nature of the 


After being 


interview[ ] provided the following information: 


[ Jis A] at a company named BASTILLE located at 


1000 Marietta Street, Suite 224, Atlanta, Georgia. The company specializes 
in research on zd ue ios through software-defined radio. Prior to 


working for BASTILLE, worked for the Oak Ridge National Lab (ORNL) 
located in Oak Ridge, Tennessee. ^ ]statea he left ORNL to explore 


working at a start-up company. 


In the summer of 2016,[ statea he wanted to research election voter 
machines and whether they were suscept] to various wireless 
vulnerabilities among other e Ja reached out to the 
Fulton County Government Center in order to obtain an election voter 
machine. However, personnel at the Fulton County Government Center 
instructed to contact Kennesaw State University (KSU) since KSU 
oversees Georgia's election operations and voting machines. 


Prior to contacting Ksu,[____ ]conducted research on KSU's Center for 
Election Systems (CES) website (elections.kennesaw.edu) J | stated he 
used a technique known as 


Investigation on 03/03/2017 at Atlanta, Georgia, United States (In Person) 


Date drafted 


File # 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 


03/07/2017 
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Continuation of FD-302 of (U) Interview of „On 03/03/2017 page 2 of 3 


[ | ]eontactea Merle King who is the Executive Director at KSU's CES 
about his findings and his interest in conducting vulnerability research on 


the election voting machines. King stated KSU would "look int 


findings. However, King was not very receptive of the idea ol 
ld that the 


"Just 


researching the election voting machines. In fact, King tol 


people downtown would_not appreciate him poking around and 


needed to drop it." stated during this time he consulted with the 


Electronic Frontier Foundation (EFF) to make sure that he was not violating 


any laws. advised he maintained all of his communications with King 
and KSU should the FBI need them. 


EE unsuccessful in | alternative contacts at KSU to discuss 


this matter so he just dropped it. stated he thought about contacting 
the FBI but did not want to get things spun up prior to the elections. 


mr on or about Wednesday, March 1, 2017, he was having 


drinks with hele — |decor ea E] being in the security 
research community. [E]. this time [Jana PCM discussing 
the 2016 elections. ET is EI findings related to 
the CES website and King's response. cal | that he knows 
who i ofessor at KSU who could help ebsite was still 
== he would check and let know. 
On the same day, stated he ran b6 
b7c 
This data b7E 


included Georgia's voter registration records. reviewed some of the 


data which included training material on how to setup an election voting 
machine. 


stated he ran 


did not know the specific IP a that was assigned to him 
at the time he executed the script. However, stated he uses th 
Internet Service Provider Gigamonster. 


At the time of the interview, | | Still had a copy of the data 


downloaded from the C j d not disseminated the data to 
anyone. E Agent instructed[ ^ ]to delete the data 


whic agreed to do. 


At the conclusion of the interview, expressed concern about the 


state of the CES website and asked the agers if ari Sno: was sor to be 
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Continuation of FD-302 of 


(U) Interview o On 03/03/2017 


stated he could be contacted via his cell phone number 


, Page 
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FEDERAL BUREAU OF INVESTIGATION 
Date of entry 03/10/2017 


On March 3, 2017, representatives from the Atlanta Division of the 
Federal Bureau of Investigation (FBI) as well as the United States 
Attorney's Office, Northern District of Georgia (USAO-NDGA), met with 
executives of Kennesaw State University (KSU). The individuals in 
attendance included: 


Federal Bureau of Investigation 
Supervisory Special Agent 


Special Agent 
Special Agent 
Computer Scientist 


United States Attorney's Office 
Assistant United States Attorney 


Kennesaw State University 


Lectra Lawhorne, Chief Information Officer/VPIT å 
Stephen C. Gay, Chief Information Security Officer b7c 
Jeff Milsteen, Chief Legal Affairs Officer b7E 


Andrew Newton, Associate General Counsel 


KSU Executives provided the FBI with a document outlining the event up 
to March 1, 2017. In summary, GAY was contacted m] a professor 


in the Information Assurance and Security Program regarding a third party 
report he had received from an "Atlanta based security firm" which alleged 


users were able to exploit KSU's Center for Election Systems (CES) website 


counties across the State of Georgia. Following this notification, GAY 


initiated KSU's 


GAY's team did not obtain a volatile memory dump or a forensic image of 
the server hosting the CES website. The server was powered off and placed 
in a secure room. GAY stated his team is maintaining a Chain of Custody for 


the server. 


GAY advised the files that were accessible contained voter data to 


uNctASS1ETED//ÌyÔO 


Kennesaw, Georgia, United States (In Person) 


Investigation on 03/03/2017 a Kennesaw, Georgia, United States (In Person) =  ć  ć  ć 
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This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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[  ] 


(U) FBI/USAO-NDGA Meeting with KSU 
iV s E Executives 03/03/2017 2: OF 2 
Contimatons DHA. nor addwess, Last fous digits of seu,’ Db serverts ase —— 
Number, and Party Affiliation. He also stated some of the records may 
contain full SSNs as the State of Georgia previously used SSNs as an 


individual's Georgia Driver's License Number. 


GAY s] 
both the SIE 


GAY stated in August 2016, a security researcher from BASTILLE in 


Atlanta, Georgia had contacted KSU regarding a vulnerability associated 
with CES website and KSU had addressed it. 


GAY identified MERLE KING as the Executive Director of the Center for 
Election Systems. KING would be able to answer any questions about who 


should have legitimate access to the CES website. 


A digital copy of the summary provided by GAY has been placed in the 1A 
section of the captioned case file. 


oncLasszer20//o 


Center for Elections System Incident — 03/01/2017 


incident background: 


= Gay (KSU CISO) was contacted by Professor] sul] 


Professor) regarding a 3'%-party report he had received from an “Atlanta based security firm”. 
This initial call was at 9:29pm on Wednesday March 1* and alleged that through the use o 


for 
counties across the State of Georgia. Stephen immediately activated the UITS incident response team to 
validate the vulnerability, which was confirmed by the senior engineer. Stephen notified Lectra 
Lawhorne (KSU CIO), at 11:00pm regarding the notice and vulnerability. At 11:20pm 


Potential Impact: 


High. The discovered vulnerability is challenging to recreate, requirin 


Current progress: 


Members of the UITS Information Security Office met with 
members of the Center for Election Systems (Merle King nd Michael Barnes) on 03/02/17 
to discuss the incident, extract the logs for analysis, and begin aligning resources toward the hardening 
of the elections.kennesaw.edu servers. The Center Director, Mr. King, informed all parties that he would 
need to keep the Georgia Secretary of State "in the loop" since he (The Secretary of State) was the data 
custodian for the Center of Elections data. Mr. King further advised that he had been in contact with him 


regarding the incident and that the Secretary of State was "ok" with our investigation although he 
requested to receive regular updates. 


Stephen Gay briefed the CIO regarding the incident and notified the USG HelpDesk regarding this 
incident, per KSU Incident Response Procedures (USG Ticket number USG-INC0014152). At 11:00am on 
3/2/17, UITS bega 
elections.kennesaw.ed 

extend back to February 16%, 2017 due to system configuration and initial examination identified a 
single database file which contained 6.7 million records of what appears to the voter data. At 3:24pm, 
log review determined that: 


e 40 IP Addresses accessed 1 or more database files ~ 
e 17 IP Addresses accessed 1 or more zip archives 


Last Updated: 03/03/17 


b6 
b7C 
b7E 


b7E 


b6 
b"7C 
b7E 


At 4:30pm 3/2/17, a conference call was held with KSU Representatives, The Georgia Secretary of 

State's Office, The Center for Election Systems, KSU Legal Affairs, and others. The call was to bring all 

parties up to speed and discuss next steps. Under the direction of the KSU CIO, at 7:00pm 03/03/17, 

UITS staff member met with Merle King and seized the center b6 
for elections system KSU Tag 103019). A chain of evidence form was completed for the dni 
transaction and the server locked ín UITS ISO Secure Storage (Pilcher 109A) which is behind auditable 

locks. 


The initial incident reporter OC  ] provided the following activity from the security researcher at 
8:00pm 3/3/17 


© Wednesday 02/22/17 - 6:00PM - 12:00AM EST - traffic originated from an Atlanta IP address and 
an IP address from Switzerland 


e Friday 02/24/17 - 12:00PM - 8:00PM EST - traffic originated from an Atlanta IP address 
e Tuesday 02/28/17 - 5:00PM - 12:00AM EST - traffic originated from an Atlanta IP address 
ə Wednesday 03/01/17 - 7:00PM - 10:00PM EST - traffic originated from an Atlanta IP address 


UITS ISO Staff are currently working to use this additional data to correlate events to actors. 


Last Updated: 03/03/17 
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FEDERAL BUREAU OF INVESTIGATION 
Date of entry 03/10/2017 


of the Federal Bureau of 


On March 3, 2017, Special Agents 
and Computer Scientist 


Investigation (FBI) participated in a meeting with Kennesaw State 


University (KSU) Information Technology (IT) personnel to include STEPHEN 
GAY == = After being provided the identity of the interviewing 


agents and the nature of the interview, the following information was 


provided: 


Flash Drive Summary: 


[ ]proviaed saL___] with a flash drive containing data obtained b6 


during the course of KSU's incident response. Below is a description of the 


b7C 
b7E 


flash drive's content: 


CES Server: 


The server was running 


Investigation on 


UNCLASSIFIED//FWUO 


03/03/2017 aq Kennesaw, Georgia, United States (In Person) 


i 03/07/2017 
File # Date drafted /07/ b7E 


ty | E | b6 
b7C 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 


to be distributed outside your agency. 
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(U) FBI Meeting with KSU Information 


Continuation of FD-302 of Technology (IT) Personnel On 03/03/2017 2 of 2 


, Page 


b7E 


on or about August 2016,[ J} a [at a company på 


named BASTILLE, shared vulnerabilities that he discovered in the CES Server 
with MERLE KING, Executive Director at KSU's CES. It was believed 

reached out to KING because he had been interviewed by media outlets, such 
as the Washington Post, and stated the election voter machines were 
unhackable. after[  Jinitial contact, KING asked KSU IT personnel to 
block email from bastille.net. 


KSU maintains officially sanctioned twitter accounts for communication 
with the public. One of these accounts, @KSUVote, was used to share 
communications regarding the Center for Election Systems. 


At the conclusion of the iabenviews|_— — |esevidéd a hardcopy of an 
email in which|  |contacted KING on August 28, 2016. 


Lastly, KSU IT personnel escorted the FBI to the location where the CES 
server was being securely stored. GAY signed a FD-941 "Consent to Search" 


form and relinquished custody of the CES server to the FBI. GAY was 
provided a copy FD-597 "Receipt for Property" form. 


Copies of the FD-941 "Consent to Search" form, FD-597 "Receipt for 
Property" form, and a digital copy off lemail along with the flash 
drive referenced above will been placed in the 1A section of the captioned 


case file. 
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From = = Wed, Aug 31, 2016 02:46 PM 


b7E 


When is the earliest we can schedule 199 AAA] 


m 
==] å 


information Ge 
University în 
Lonnesaw Su y 
Technology Servìces Bigg. Ryn 031 
1075 Canton PE 


Ke posa A ETE T 
Ye 


fax 78-50-1990 


Dy Offue b7C 
ion Techeotogy Services (UITS) b7E 


It has been immensely beneficial. 


KSU Center for Election Systems 
205 Campus Loop Road 


3 
K 144 
P F: 470-578-9012 


The [  Jompleted last night and I will share the results as soon as my current meeting completes. 


Information Security Office 


3/3/2017 Zimbra 


University Information Technology Services (UITS) 
Kennesaw State University 

Technology Services Bldg. Rm 031 

1075 Canton Pi 


> — 
Tel 


Fax: 678-915-4940 


Sounds good to us. mens |] 


What is the status of the EE couldn't find where it had been run and when I went to w[ ] the 
available options made it difficult to choose while not really understanding them. 


[| 


KSU Center for Election Systems 
3205 Campus Loop Road 


K 144 
P: F: 470-578-9012 b6 


b7c 
b7E 


On Wed, Aug 31, 2016 at 9:56 AM -0400 —  — bwrote: 


Regards, 


Information Security Office 

University Information Technology Services (UITS) 
Kennesaw State University 

Technology Services Bldg, Room 026 

1075 Canton PI, MB #3503 


one] 


ent: Tuesday, August 30, 20! :03: 
Subject: RE: [IMPORTANT] concerning the security of elections kennesaw edu 


b7E 


33/2017 


Zimbra 


Information Security Office 

University Information Technology Services (UITS) 
Kennesaw State University 

Technology Services Bldg. Rm 031 

1075 Canton Pl 

Kennesaw, GA 30144 


Te] 


EE 


ubject: Re: [IMPORTANT] concerning the security of elections. kennesaw. edu 


KSU Center for Election Systems 
3205 Campus Loop Road 
K 


144 
p: F: 470-578-9012 
On Aug 30, 2016, at 11:59 AM 
> wrote: 


= 


Please log back in t 


b6 
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| 


|] 


Information Security Office 

University Information Technology Services (UITS) 
Kennesaw State University 

Technology Services Bldg. Rm 031 

1075 Canton PI 


Ken 
Tel: 


b6 
b7c 
b7E 


i Re: T concerning the security of e 
added. 


KSU Center for Election Systems 
205 Campus Loop Road 


3 
K 144 
P: : 470-578-9012 
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AE 


Thanks for reaching out. We can definitely assist i i security 
nd of your site, For we can arrange for 
get some better 


insight. 


b6 
b"7C 
b7E 


Regards, 


NEN 


University information Technology Services (UITS) 
Kennesaw State University 

Technology Services Bldg, Room 026 

1075 Canton PI, MB 43503 


Kenne 

Phone: 

Fax: ES 578-9051 
Qriai 


Good amo] — |i wanted to reach out for some assistance with our 
website as suggested in Stephen's email below. 


For some background information| — hna I have taken ri nsibility for 
the website here at Center for Election Systems. 
before either of us were employed here and we have spent the last 


several years simply maintaining it in the order it had been working 
ond Obviously this has become untenable in the current atmosphere, 


an and I must learn more to get the security of the website under 
control. in this regard we appreciate any help you can offer on security 


5/10 


3/3/2017 Zimbra 


best practices and specific security implementations that will allow us to 
secure the site. 


This moming we implemented 


Please ef Jena I know if you have any insights that will help b6 
accomplish this goal, as well as get a local firewall set up to allow us to b7C 
monitor access through logs. b7E 
Thank you, 


KSU Center for Election Systems 
205 Campus Loop Road 


3 
K 144 
P F: 470-578-9012 


wrote: 


Michael, 


Thanks for reaching out and we stand on ready to help. The source email 
domain, <bttp //bastìlle.neU >; bastille.net« «htitp://bastillenet/ >; 


located in Atlanta: 


Registry Registra : 
Registrant Name: b6 
Registrant Organization: Bastille Networks b7C 


Registrant Street: 1000 Marietta St NW 

Registrant Street: Suite 112 

Registrant City: Atlanta 

Registrant State/Province: GA 

Registrant Postal Code: 30318 

Registrant Country: US 

Registrant Phone: +1.7328200096 

Registrant Phone Ext: 

Registrant Fax: 

Registrant Fax Ext: 

Registrant Email: «railto:domainstibastillenebworks.com» 

domainstbastillenebworks.com < «rnailto.domainsQbastillenetworks. com» 
Fi å 


Hi 


We don't put internal domain blocks in place unless we detect a spike in 
phishing or vulnerability scanning from that domain which, at this point, 
isn't the case for <hitp://bastilie nel/>; bastille net < 


«nttp;/bastilenet/» ; http://bastille.n TNT 


domain which included file extensions, along 
with HTML Headers which include the service versions. 


Here the the Google search string which reveals the document he references 
* pdf site:elections.kennesaw.edu" 
Reporting precincts with cards - 


Loo Eh pro TE 


3/3/2017 


Zimbra 


at gives away the use of 


It is reasonable to assume that these types of unsolicited requests are 

going to increase leading up to the general election in November and we 
stand on ready to offer application security analysis and recommendations. 
In turn, I would highly recommend the use of an server based firewall/IDS to 
track this activity (specifically brute force attempts on the login page) 

and ensure that all access are logged. 


I am cc'ing 2 members of my team, Mr. mm M to 
advise on operating /application vulnerabilities and provide advice on 


mitigaling strategies will act as your point of contact and if I can 
assist in any way please let me know. 


In service, 


Stephen C Gay CISSP CISA 

KSU Chief Information Security Officer & UITS Executive Director 
Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 

Technology Services Bldg, Room 031 

1075 Canton PI, MB #3503 

Kennesaw, GA 30144 

Phone: (470) 578-6620 

Fax: (470) 578-9050 


-—- Original Message — 
From: "Michael Barnes" « 


Sent: Monday, August 29, 2016 9:24:30 AM 


Stephen, 


We received an unsolicited email over the weekend from i |] The 
content of the email has engaged our staff and we are looking into these 
claims regarding the security of our website. Would you please add this 
individual and the organization he claims to be affiliated with i 

of I recently black listed? Also, our IT staff, 

and ill be reaching out to you and your staff to see what 
assistance your group can provide us in pinging our site to verify that we 

are addressing security issues within our site. 


b6 
b7C 
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b7E 
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Zimbra 


Thank you in advance, 


Michael Barnes 

Director 

Center for Election Systems 
Kennesaw State University 
3205 Campus Loop Road 
Kennesaw, GA 30144 

ph: 470-KSU-6900 

fax: 470-KSU-9012 


Sent: Sunday, Augu F 


< 
Cc: Michael Barnes 


Steven and Jason - Please review this email and advise. Sooner is better 
than later. 


Thanks, 


MSK 


Sent: Sunday, August 28, 2016 3: 47:50 PM 


Hello Merle, 


My name sf] and I'm a cybersecurity researcher who is a member of 


Bastille Threat Research Team. We work to secure devices against new and 


ed wireless sien «ips; UEN. UR ener! 
: SE - 


ae ee eds This past Tuesday I 


went 
to Fulton County Government Center to speak wm |] about securing 


voting machines against wireless threats. 1 was then directed to contact you 


| O OK . . 


b6 
b7C 
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b7E 


8/10 


33/2017 Zimbra 


and the center. Pd like to collaborate with you on securing our state's 


election systems infrastructure against wireless attacks. 


While attempting to get more background information on the center prior to 


contacting you, I discovered serious vulnerabilities affecting 


The following google searches reveal documents that shouldn't be indexed and 


appear to be critical to the elections process. în addition] b7E 
install 


I generally use thîs type of search to find documents on websites that 
lack 


search functionality. This search revealed a LL] 


Assume any document that requires authorization has already been downloaded 


without authorization. 


The second search result appears to be fof — 1] 


If you have any questions or concerns please contact me. I'm able to come to 
the 


center this Monday for a more thorough discussion. 


Take care, 
E bs 
b7C 


33/2017 


Zimbra 


Merle S. King 


Executive Director 

Center for Election Systems 
Kennesaw State University 
3205 Campus Loop Road 


Kennesaw, Georgia 30144 


Voice: 470-578-6900 
Fax: 470-578-9012 
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Meri: Ving wrs latermoben Ga S Dire dar 
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Untitled 


According to [_ |] this should access the [ ||] a 


b7E 


Page 1 
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UNITED STATES DEPARTMENT OF JUSTICE 
FEDERAL BUREAU OF INVESTIGATION 
Receipt for Property Received/Returned/Released/Seized 


File # 


On (date) å item(s) listed below were: 
eceived From 
Returned To 


[] 
O Released To 
Ll 


Seized 


(Name) G [epe å “ / 
(Street Address) C £ $, 1000 eiat QR gsc 
(City) K NITE GA 


Description of Item(s) ____ 


Mm 


Physical 


Created From: 


Package: 
Stored Location: 
Summary: 


Acquired By: 
Acquired On: 
Acquired From: 


Attachment: 


UNCLASSIFIED 
1A/1C Cover Sheet for Serial 


Export 


1A8 
None 


(U) One Blue Verbatim 
Flash Drive 


SA 
2017-03-03 
(U) CISO Stephen Gay 


Kennesaw State 
University 


(U) One Blue Verbatim 
Flash Drive 


b3 
b6 
b7C 
b7E 


b3 
. b7E 


UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rev. 10-16-2009) 


Date: 03/15/2017 


[Kal 
uj 


Form Type: OTH 


Title:(U) Election-related files and usernames 


b7C 


Drafted By: Sal] b7E 
case m [7] c) uNsUB(S); 


KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


Synopsis: (U) On March 06, 2017, Stephen Ga CISQ, Kennesaw State 
University, provided Special Agent with documents 
associated with Election-related files and usernames for the Center 


for Elections website. 


++ 


UNCLASSIFIED 


March 3, 2017 
Election-related files 


elections.kennesaw.edu 
b7E 


b7E 


This concludes the types of files placed within the county folders for distribution to counties 


FD-302 (Rev. 5-8-10) 


Investigation on 


[1 5 
. b7E 


-1 of 2- 


FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/17/2017 


[ | | date of birth cos LL] was interviewed at 30 


Trammell Street SW, Marietta, Georgia. After being advised of the 
the interview, | — | 


identity of the interviewing Agents and the nature of 


provided the following information: 


During the Hesses -sd his attorne 
present. The interview was conducted at 


located at 30 Trammell Street SW, Marietta, Georgia. 


On Wednesda March 1, 2017, LL statea he received a text message 
Ere Tui is a security researcher and very active in the 
ossible cyber security issue at Kennesaw 
subsequently spoke on the phone b6 
that he recently had dinner with b7C 
who is a at a company named Bastille. PIR 


During this dinner, tol | about multiple vulnerabilities that 
he discovered with the KSU's Center for Elections System (CES) website 


Marietta Office 


about a 


cyber security communit 
State University (KSU 
on the same day. 


also informe that had preyi y discovered 
vulnerabilities in the CES website back in 2016. reported the 


vulnerabilities to KSU who supposedly fixed it. stated he has never 


met 


After speaking with stated he 
navigated to the website 


er verifying 
contacted Stephen Gay who is the Chief Information Security Officer at 


Ksu.[  |recalled the notification was around 9:30 pm approximately. 


03/10 a Marietta, Georgia, United States (In Person) 


b3 
b6 
b7C 
b7E 


03/14/2017 


Date drafted 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 


to be distributed outside your agency. 


b3 
FD-302a (Rev. 05-08-10) b6 


b7C 


Continuation of FD-302 of (U) Interview off ] „On /2017 Page 2 of 2 


On Thursday, March 2, 2017, Gay contactea| —— | Gay wanted[ ] to 
document the steps he took to verify the vulnerability. In addition, Gay 
wanted to contact the security researchers and determine how they 
verified the vulnerability.[ |... | stated he collected the requested 
information and provided it to Gay via email on the same day. 

[  ]statea the security researchers wanted to responsibly disclose the 
vulnerabilities so KSU could have time to mitigate the issues. Once 
mitigated, the security researchers wanted to discuss issuing a public 
notification so they could get credit for finding the 


vulnerabilities. The security researchers never demanded any money for 
finding the vulnerabilities. 


On Friday, March 3, aote. EEE EN with[ — þia text 
message after seeing news reports about a security incident at KSU's CES as 


A ; : b7C 
and the FBI being WESEL | NE surprised to see the 
security incident in the news but though [ being involved was a 


good thing. 


[____ statea he knew Merle King who is the Executive Director at KSU's 
CES. However, he has not spoken to King in approximately two years. King 


reached out to about potentially conducting a penetration test 
against the CES website the last time the two spoke but the test never 
happened. 


email exchanges with KSU. A copy of the emails will be maintained in the 
1A section of the case file. 


|. b7E 


MEN |” Gy Ner, ec js fe dread i 


i = mo demand. For naen A 
C W GL een Me. 2 EREMO 


meee å MD | . WM 


Mr KE DN 


= ve : b6 
Conversation with Hm 


b7E 
Notebook: [____ ]notebook 


Created: 3/1/2017 8:46 PM Updated: 3/1/2017 9:06 PM 


Author: . | | Location: Cherokee Countv. Georaia. United... 


Bastille Networks - contact throug 
* Director of Marketing and Director of Research are în the loop 


= talk d te Mede phe abat Dyer = i 


ee m. 


did ki NE 
= a pee "S Nesser E 


Ls Ie d Euge Ba 


i pu Co 


"6 (e Je A Serve - A spl E E ac O. 


NS M ENDS eus — 
ee 
i 
2 -44 = 


SIBI ZU Zimbra 


Zimbra | | 


” Re: Vulnerability on the elections.kennesaw.edu website 


Subject : Re: Vulnerability on the elections.kennesaw.edu website 
To , Stephen 
C. Gay = 


| Heard back from the researchers, here's what they shared with me: 


b"7C 
b7E 


Thanks 


Michael J. Coles College of Business 

— ...Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 
560 Parliament Garden Way NW, MD 0405 


Ph; 


Burruss Building, Room| | 


— — £3656d7065722070617261747573 


Fro 
_ To: "Stephen C. Gay” 
Sent: Thursday, March 2, 2017 2:56:45 PM 
Subject: Re: Vulnerability on the elections.kennesaw.edu website 


| — 


1/4 


SVS Zimbra 


| bnd Stephen, 


I'm in the process of reaching out to the researcher(s) now, and will get back to you with any 
77 details they provide to me. 


„Please let me know if you need anything else. 


Thanks 


Michael J. Coles College of Business 


Kennesaw State University - A Center of Academic Excellence in Information Assurance b6 
Education e 


7 77560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 


Burruss Building, Room [ ] 


73656d7065722070617261747573 


— —Sent: Thursday, March 2, 2017 6:44:22 AM 
Subject: Re: Vulnerability on the elections.kennesaw.edu website 


24 


ILE 


Zimbra 


fi de coordinating the incident so if you could a send the information to him (cc'd 
on this email) I would appreciate it. 


— Fhank you. 


Stephen C Gay CISSP CISA 
KSU Chief Information Security Officer & UITS Executive Director 


.. . Information Security Office 


University Information Technology Services (UITS) 
Kennesaw State University 

Technology Services Bldg, Room 031 

1075 Canton PI, MB 43503 

~ Kennesaw, GA 30144 


Phone: (470) 578-6620 


Fax: a | 578-9050 


From: 

To: "Stephen C Gay' 

Sent: Wednesday, March 1, 2017 9:55:27 PM 

~ Subject: Vulnerability on the elections.kennesaw.edu website 


Stephen, 

- —7Hhanks for taking the time to talk with me tonight. As I mentioned during our call, I was 
contacted by a friend in ce here in Atlanta earlier tonight. My friend relayed 
to me the existence of a vulnerability that a fri 


elections.kennesaw.edu website. The vulnerability allows for 


My friend shared with me that th 


I was able to verify the presenc 


I'm told the researcher works for a reputable organization. I'm also told that the organization 
may be interested in going public with this at some point, due to the seriousness of the 
matter as well'as the related publicity it would generate for the organization. My sense is that 
there is a desire to go public in a coordinated, responsible manner, in order to give the 
university appropriate time to remediate the vulnerability. This is certainly not set in bedrock, 
as I'm just the middleman here. However, given that they reached out to me as opposed to 


b6 
b7C 


3/4 


= i Zimbra 


DI ON kl n -eem 


releasing to the public, I'm hopeful that my sense is correct. 


If I can be of further service, including facilitating communication between all parties, please 
- — dont hesitate to let me know. 


Thanks 


b6 
Ea b7C 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education — - 
560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 


Burruss Building, Room[ ] 


73656d7065722070617261747573 


"up em 


b7E 
4/4 


SVI Zimbra 


” Re: Vulnerability on the elections.kennesaw.edu website 


From] Thu, Mar 02, 2017 02:56 PM 


Subject : Re: Vulnerability on the elections.kennesaw.edu website 
To , Stephen 


h L ba Stephen, 


I'm in the process of reaching out to the researcher(s) now, and will get back to you with any 
details they provide to me. 


b6 
b7C 
b7E 


Please let me know if you need anything else. 


— Thanks 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 

~ |= kennesaw, GA 30144-5591 


Ph: 
~ —-Burruss Building, Room [ | 


73656d7065722070617261747573 


77 From: "Stephen C. Ga 
To: 
Cc: 


3/8/2017 7 | Zimbra 


Sent: Thursday, March 2, 2017 6:44:22 AM 
Subject: Re: Vulnerability on the elections.kennesaw.edu website 


Good morning. We are actively investigating this incident, specifically focusing on the scope 
of data disclosure. With that in mind, we are seeking your assistance in determining when 
3 ne from where the Security ESTER) accessed the elections.kenne 
Că O » Ci 


AW EGU data 
> AENA 


[ A coordinating the incident so if you could please send the information to him (cc'd 
on this email) I would appreciate it. 


~~ Fhank your 


Stephen C Gay CISSP CISA 

KSU Chief Information Security Officer & UITS Executive Director 
Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 

Technology Services Bldg, Room 031 

1075 Canton PI, MB 43503 


b6 
Kennesaw, GA 30144 b7C 
Phone: (470) 578-6620 b7E 


Fax: — 578-9050 


Sent: Wednesday, March 1, 2017 9:55: 27 PM 
^ Subject: Vulnerability on the elections.kennesaw.edu website 


Stephen, 


— — Thanks for-taking the time to talk with me tonight. As I mentioned during our call, I was 
contacted by a friend in the security space here in Atlanta earlier tonight. My friend relayed 
to me the existence of vulnerability that a friend of his located on the 


elections.kennesaw.edu website. The vulnerability allow 


I was able to veri 


BUT — == Zimbra 


..... I'm told the researcher works for a reputable organization. I'm also told that the organization 
may be interested in going public with this at some point, due to the seriousness of the 
matter as well as the related publicity it would generate for the organization. My sense is that 
there is a desire to go public in a coordinated, responsible manner, in order to give the 
university appropriate time to remediate the vulnerability. This is certainly not set in bedrock, 

~~ as I'm just the middleman here. However, given that they reached out to me as opposed to 
releasing to the public, I'm hopeful that my sense is correct. 


If I can be of further service, including facilitating communication between all parties, please 
~ — - dont hesitate to let me know. 


Thanks 
b6 
b7C 
un b7E 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education .. .. 

560 Parliament Garden Way NW, MD 0405 


Ph 
Burruss Building, Roon | 


73656d7065722070617261747573 


aru | Zimbra 


Zimbra M. 


—Ó d 


Re: Vulnerability on the elections.kennesaw.edu website 


— — From : Stephen C. Gay] Thu, Mar 02, 2017 06:44 AM 


Subject : Re: Vulnerability on the elections.kennesaw.edu website 
To 
Cc 


Good mornin 
focusin 


mmm coordinating the incident so if you could please send the 
information to him (cc'd on this email) I would appreciate it. 


b6 
Thank you. b7c 
b7E 
Stephen C Gay CISSP CISA 
="KSU Chief Information Security Officer 8 UITS Executive Director 
Information Security Office 
University Information Technology Services (UITS) 
Kennesaw State University 
.. .Technology-Services Bldg, Room 031 
1075 Canton Pl, MB 43503 
Kennesaw, GA 30144 


Phone: (470) 578-6620 


_ Fax: (470) 578-9050 
From: 
—-Te:' “Stephen C Gay" 


Sent: Wednesday, March 1, 2017 9:55:27 PM 
Subject: Vulnerability on the elections.kennesaw.edu website 


_ Stephen, 


Thanks for taking the time to talk with me tonight. As I mentioned during our 
call, I was contacted by a friend in the security space here in Atlanta 
earlier tonight. My friend relayed to me the existence of a 


1/3 
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vulnerability that a friend of his located on the elections.kennesaw.edu 
website. The vulnerability al s for 


ny friend shared with ne that ene | | 


I was able to verify the presence of the vulnerability myself, and was able 


I'm told the researcher works for a reputable organization. I'm also told 

—-that-the organization may be interested in going public with this at some 
point, due to the seriousness of the matter as well as the related publicity 
it would generate for the organization. My sense is that there is a desire to 
go public in a coordinated, responsible manner, in order to give the 

. university appropriate time to remediate the vulnerability. This is certainly 
not set in bedrock, as I'm just the middleman here. However, given that they 
reached out to me as opposed to releasing to the public, I'm hopeful that my 
sense is correct. 


TF I can be of further service, including facilitating communication between 
all parties, please don't hesitate to let me know. 


Thanks 


b7C 
b7E 


Michael J. Coles College of Business 
—-Kennesaw State University - A Center of Academic Excellence in Information 
Assurance Education 
560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 


Ph: 
Burruss Building, Room [ | 


à 


3/8/2017 


73656d7065722070617261747573 


Zimbra 
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b7E 


RMZUTM Zimbra 


Re: Need to speak with you in-person 


Subject : Re: Need to speak with you in-person 
To : Stephen C. Gay 


[think our emails passed each other, you should have the details now. 


Thanks 


b6 
b7C 


Michael J. Coles College of Business BIE 


Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education | 

560 Parliament Garden Way NW, MD 0405 

Kennesaw, GA 30144-5591 


Burruss Building, Room |] 


____73656d7065722070617261747573 


Subject: Re: Need to speak with you in- n-person 


== 


” Tve got the team on standby and we are awaiting the information on the conduit for the 
alleged breach. Please send to me as soon as possible. 


Stephen C Gay CISSP CISA 
> —KSU Chief Information Security Officer & UITS Executive Director 
Information Security Office 
University Information Technology Services (UITS) 
Kennesaw State University 


— — 7 Room 031 
1/3 


3/8/2017 Zimbra 


1075 Canton Pl, MB #3503 
Kennesaw, GA 30144 


- —Phone: (470) 578-6620 


Fax: > | 578-9050 


From: 
To: "Stephen C Gay' 
Sent: Wednesday, Marc :27: 
„Subject: Re: Need to speak with you in- |-person 


P EN 


This needs to happen immediately. It's that serious. 


Can you talk now, by phone? 


i Than ks 


ee e me 


Michael J. Coles ss Collage of Business 


. Kennesaw State University - A Center of Academic Excellence in Information Assurance 


Education 
.......960 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 


— —-Burruss Building, Room | 


73656d7065722070617261747573 


Sent: Wednesday, March 1, 2017 9:26:08 PM 
Subject: Re: Need to speak with you in-person 


a e 


pl 


I'm closing on a house tomorrow and will be out of the office until Monday, then afterwards 


— —-to-Friday. Can we meet on Monday, or can I call you on Friday? 


Stephen 


AA 


b6 
b7c 
b7E 
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VIOLEN VE Zimbra 


— — Sent; Mar 1, 2017 9:23 PM 


To: Stephen C. Gay 
Subject: Need to speak with you in-person 


m Stephen, _ 
I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 


— — Please let me know when make time to meet with me. 


Thanks 
b6 


b7C 
ds a b7E 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
„Education — -- 
560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 


Burruss Building, Room [| 


73656d7065722070617261747573 


Dati meas, — 


Wa tt Zimbra 


Vulnerability on the elections.kennesaw.edu website 


From Wed, Mar 01, 2017 09:55 PM 
Subject : Vulnerability on the elections.kennesaw.edu website 


Stephen, 


Thanks for taking the time to talk with me tonight. As I mentioned during our call, I was 
contacted by a friend in the security space here in Atlanta earlier tonight. My friend relayed 
to me the existence of D vulnerability that a friend of his located on the 
elections.kennesaw.edu website. The vulnerability allows fo 


I was able to verify the presence of the vulnerability myself, and was able to 


I'm told the researcher works for a reputable organization. I'm also told that the organization 
may be interested in going public with this at some point, due to the seriousness of the 
matter as well as the related publicity it would generate for the organization. My sense is 
that there is a desire to go public in a coordinated, responsible manner, in order to give the 
university appropriate time to remediate the vulnerability. This is certainly not set in 
bedrock, as I'm just the middleman here. However, given that they reached out to me as 
opposed to releasing to the public, I'm hopeful that my sense is correct. 


If I can be of further service, including facilitating communication between all parties, please 
don't hesitate to let me know. 


Thanks 


4/2 


SOLVE Zimbra 


FEE EEE 


~ Michael J. Coles College of Business 
Kennesaw State University - A Center of Academic Excellence in Information Assurance 


Education 
560 Parliament Garden Way NW, MD 0405 a 
._Kennesaw,-GA 30144-55 iur 


. Burruss Building, Room| ^ | 


73656d7065722070617261747573 


[UU 


ED d Zimbra 


Re: Need to speak with you in-person 


From : Stephen C. Gay | | Wed, Mar 01, 2017 09:47 PM 


Subject : Re: Need to speak with vou in-person 
To | 


I've got the team on standby and we are awaiting the information on the 
—. conduit for the alleged breach. Please send to me as soon as possible. 


Stephen C Gay CISSP CISA 

KSU Chief Information Security Officer & UITS Executive Director 
Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 

Technology Services Bldg, Room 031 

1075 Canton Pl, MB #3503 

— -Kennesaw, 'GA 30144 


Fax: (470) 578-9050 b7C 
b7E 


-—--- E 


Sent: Wednesday, March 1, 2017 9:27:33 PM 
~ “Subject: Re: Need to speak with you in-person 


This needs to happen immediately. It's that serious. 
_.Can.you talk. now, by phone? 


Thanks 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information 
_ Assurance Education 
- 560 Parliament Garden Way NW, MD 0405 


a Zimbra 


Ph: 
Burruss Building, Room [ ] 
73656d7065722070617261747573 b6 
b7c 
b7E 
From: "Stephen C. Gay” 
To: 
Sent: Wednesday, March 1, 2017 9:26:08 PM 
Subject: Re: Need to speak with you in-person 
I'm closing on a house tomorrow and will be out of the office until Monday, 
then afterwards to Friday. Can we meet on Monday, or can I call you on 
_ Friday? -~ 
Stephen 
Sent from Nine 
From: 
Sent: Mar 1, 2017 9:23 PM 
To: Stephen C. Gay 
„ „Subject: Need to speak with you in-person 
Stephen, 
I need to speak with you in-person regarding a very sensitive matter. Due to 
the importance of the issue, this conversation needs to happen immediately. de 
b7c 
Please let me know when make time to meet with me. b7E 


— Thanks X 


-Michael J. Coles College of Business 
Kennesaw State University - A Center of Academic Excellence in Information 
Assurance Education 
560 Parliament Garden Way NW, MD 0405 

. .Kennesaw, GA 30144-5591 
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: b7E 
Burruss Building, Room] 
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Re: Need to speak with you in-person 


From : Stephen C. Gayf i Wed, Mar 01, 2017 09:28 PM 


Subject : Re: Need to speak with you in-person 
—-— TO: 


Sure, give me a call on my cif .. | 


_ _ Stephen 


Sent from Nine 


From: 

~~ Sent: Mar 1, 2017 9:27 PM - 
TO: stephen C. Gay b7c 
Subject: Re: Need to speak with you in-person i b7E 


> This needs to happen immediately. It's that serious. 
Can you talk now, by phone? 


+ Thanks ~ 


— -Michael J. Coles College of Business 
Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 
560 Parliament Garden Way NW, MD 0405 

__ Kennesaw, GA 30144-5591 


oom[ | 


Burruss Building, 
73656d7065722070617261747573 


.. - From: "Stephen C. Gay" 


12 


HOV Zimbra 


Sent: Wednesday, March 1, 2017 9:26:08 PM 
"^ Subject: Re: Need to speak with you in-person 


E 


~ -Emeelosing-on a house tomorrow and will be out of the office until Monday, then afterwards 
to Friday. Can we meet on Monday, or can I call you on Friday? 


Stephen 


Sent from Nine 


From 
_ .. Sent: Mar 1, 2017 9:23 PM b6 
TO: Stephen C. Gay b7C 


Subject: Need to speak with you in-person DIE 


... Stephen, 


I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 


— — Please let me know when make time to meet with me. 


Thanks 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
.. .-Education — -- 

560 Parliament Garden Way NW, MD 0405 

Kennesaw, GA 30144-5591 


Ph: 


Burruss Building, Room [ 


73656d7065722070617261747573 


A A NAS i iee 
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SUM Zimbra 


_ Re: Need to.speak with you in-person 


~ Subject : Re: Need to speak with you in-person i 


To : Stephen C. Gay[ |] 


This needs to happen immediately. It's that serious. 


Can you talk now, by phone? 


Thanks 


b7C 
b7E 


Michael J. Coles College of Business 


— Education 
560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 


Ph 
Burruss Building, Room | 


.. 13656d7065722070617261747573 


From: "Stephen C. Gay" 
To: 

7 Sent: Wednesday, March 1, 2017 9:26:08 PM 
Subject: Re: Need to speak with you in-person 


I'm closing on a house tomorrow and will be out of the office until Monday, then afterwards 
to Friday. Can we meet on Monday, or can I call you on Friday? 


. Stephen ~ 


HOV VI 


Zimbra 


. From: 


Sent: Mar 1, 2017 9:23 PM 
TO: Stephen C. Gay 
Subject: Need to speak with you in-person 


— Stephen, 


I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 


Please let me know when make time to meet with me. 


Thanks d 


b7E 


Michael J. Coles College of Business 
-Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 
560 Parliament Garden bed NW, MD 0405 
A 301 


Burruss Building, Room . ] 


~ 73656d7065722070617261747573 
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39/201/ fa COG rd zimora 


- Re: Need to-speak with you in-person 


From : Stephen C. cy  _ | Wed, Mar 01, 2017 09:26 PM 


^ Subject : Re: Need to speak with you in-person 
To | 


I'm closing on a house tomorrow and will be out of the office until Monday, then afterwards 
to Friday. Can we meet on Monday, or can I call you on Friday? 
b6 


Nr 
b7C 


a From] ] b7E 
Sent: Mar 1, 2017 9:23 PM | 
TO: Stephen C. Gay 
Subject: Need to speak with you in-person 


- Stephen - 


Sent from Nine 


Stephen, 


I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 


Please let me know when make time to meet with me. 


Thanks 


Michael J. Coles College of Business . 

— --«Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 
560 Parliament Garden D May NW, MD 0405 
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JOIZULI "» - Zimbra 


— 


- Need to speak with you in-person 


remi — O u lK Wed, Mar 01, 2017 09:23 PM 


~ Subject : Need to speak with you in-person 
To : Stephen C. Ga 


Stephen, 
I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 


. .. Please let me know when make time to meet with me. 


Thanks 


b6 
b7C 
b7E 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education _ 

560 Parliament Garden Way NW, MD 0405 

Kennesaw, GA 30144-5591 


Ph: 
Burruss Building, 


Room] | 


73656d7065722070617261747573 
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FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/27/2017 


at his residence located at 


was interviewed 


Atlanta, Georgia. After 


being advised of the identity of the interviewing Agents and the nature of 
the interview, | provided the following information: 


website.io). 


In addition, 


company Bastille have been working together on research where they have 


identified several security vulnerabilities in a particular type of 
software. In following the responsible disclosure a Joni 

notified the software company of the vulnerabilities. They are 
working with the company to resolve the vulnerabilities and potentially 
present their research at the Defcon Cyber Security Conference in Las 
Vegas, Nevada this year. 


On Wednesday, February 22, 2017, LLL Jwere atl [nouse 


working on the research mentioned above. During one of their 
conversations, stated he wished he could have published his research 
on the Kennesaw State University's (KSU) Center of Elections (CES) 
Website.[____]had found several security vulnerabilities with site. 

discussed his findings with his supervisors at n |= 4 
supervisors stated there was no way in hell they wanted to report on 
anything related to elections. However, still notified KSU CES 
directly of his findings who supposedly resolved the issues. 


| statea he ana| — decided to see if KSU actually resolved the 


issues. In conducting some basic searches, th immediately discovered 


vulnerabilities for the 
the KSU CES website that allowed 


did not know if was using In addition, 


Investigation on 03/16 at Atlanta, Georgia, United States (In Person) 


File # 


Date drafted 03/17/2017 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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FD-302a (Rev. 05-08-10) [| | 


Continuation of FD-302 of (U) Interview of 


following three programs to test the website: [ 1] 


03/16 


On /2017 2 of 2 


, Page 


used the 


ma [statea he was very concerned about the security vulnerabilities 
in the KSU CES website. After about a week of thinking about it, e 
stated he cont and told him that he was going to report their b7C 
findings to who is a professor at B: he had b7E 
previously met at one of the Atlanta B-Sides conferences in Atlanta, 


Georgia. 


On March 01, 2017, |notiriea[ |stated he accessed 


the KSU CES website again while discussing the vulnerabilities with 
During this Ei Je the website from his residence using 


just the IP address assigned by his Internet Service Provider (ISP) Google 
Fiber and not the VPN service previously used. stated he believes 
the IP address assigned to him during this time was 

also provided his IPv6 IP addres 
assigned by Google Fiber. 


[  ]statea that he only downloaded one database file from the KSU 
CES website as a proof of concept during all of his research but had 
already deleted the file from his computer. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/27/2017 


On March 17, 2017, Special Agent sj returned the 


Center of Elections (CES) server collected on March 03, 2017 to Stephen 
Gay who is the Chief Information Security Officer at Kennesaw State b3 
University. In addition, S rovided Gay with a CD containing a b6 
spreadsheet with iae 
P b7E 
logs. 
Copies of the FD-597 Receipt of Property and the spreadsheet provided 

to Gay will be maintained in the 1A section of the case file. 

Investigation on 03/17 a Kennesaw, Georgia, United States (In Person) 

File Date drafted 03/27/2017 

by SA 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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*U.S. GPO: 2004-307-714/90013 


FD-597 (Rev 8-11-94) Page | of | 


UNITED STATES DEPARTMENT OF JUSTICE 
FEDERAL BUREAU OF INVESTIGATION 
Receipt for Property Received/Returned/Released/Seized 


File 4 


On (date) 5 Z [7 item(s) listed below were: 


[] Re ived From 
IB Returned To 
O Released To 
[] Seized 


(Name) 4 on 
(Street Address) C ha 
(City) K G 


Description of Item(s): 


| Dell. Pwer! Lel P A P oc 


b6 
b7C 
bw 


Received By: Received From: 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rev. 10-16-2009) 


Form Type: OTHER Date: 03/30/2017 


Title: w| ]Preservat: on Letter 


b3 


b7C 


b7E 
Drafted By: sa] 


KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


Synopsis: (U Preservation Letter tof | 


** 


UNCLASSIFIED 


U.S. Department of Justice 


Federal Bureau of Investigation 


2635 Century Parkway NE 
Atlanta, Georgia 30345 
March 29, 2017 


Dear Custodian of Records: 


This letter will serve as a formal request for the 
preservation of records and other evidence pursuant to Title 18, use, 
Section 2703(f) pending further legal process. 


You are hereby requested to preserve, for a period of 90 
days, the records described below currently in media, in a form that 
includes the complete record. You also are requested not to disclose 
the existence other than is necessary to comply with this request. 
You are further requested not to terminate the account listed in this 
request if such termination is solely due to the receipt of this 
request. Further, allowing this account to remain active may assist 
Law Enforcement efforts. 


This request applies only retrospectively. It does not in 
any way obligate you to capture and preserve new information that 
arises after the date of this request. 


This preservation request applies to the following records 
and evidence: 


b6 
b7C 
b7E 


Please 
to Special Agent 


Sincerely, 


upervisory Special Agent 


FD-448 FEDERAL BUREAU OF INVESTIGATION 


Revised 


E. FACSIMILE COVER SHEET 
PRECEDENCE 
© Immediate © Priority (© Routine 


CLASSIFICATION 


© Top Secret Q Secret Q Sensitive 


© Unclassified 


Date: 
03/29/2017 


Telephone Number: 
Custodian of Records 


FROM 


Name of Office: 
FBI Atlanta 


Number of Pages: (including cover) 
3 
Originator's Facsimile Number: 


404-679-1417 


Appr 
DETAILS 
Subject: 
Preservation Letter 
Special Handling Instructions: 
Brief Description of Communication Faxed: 
WARNING 


Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this information disclosure, 
reproduction, distribution, or use of this information is prohibited (18.USC, § 641). Please notify the originator or local FBI Office 
immediately to arrange for proper disposition. 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Import Form 


FD-1036 (Rev. 10-16-2009) 


Form Type: OTHER Date: 03/30/2017 


Title: (U) = Preservation Letter b6 
b7c 
b7E 


KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


Synopsis: gd... O OO . Letter for 


The preservation letter was assigned 


$* 


UNCLASSIFIED 


U.S. Department of Justice 


Federal Bureau of Investigation 


2635 Century Parkway NE 
Atlanta, Georgia 30345 
March 29, 2017 


Dear Custodian of Records: 


This letter will serve as a formal request for the 
preservation of records and other evidence pursuant to Title 18, use, 
Section 2703(f) pending further legal process. 


You are hereby requested to preserve, for a period of 90 
days, the records described below currently in media, in a form that 
includes the complete record. You also are requested not to disclose 
the existence other than is necessary to comply with this request. 
You are further requested not to terminate the account listed in this 
request if such termination is solely due to the receipt of this 
request. Further, allowing this account to remain active may assist 
Law Enforcement efforts. 


This request applies only retrospectively. It does not in 
any way obligate you to capture and preserve new information that 
arises after the date of this request. 


This preservation request applies to the following records 
and evidence: 


b6 
b7C 
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b6 
b7C 
b7E 


Please direct an uestions you may have about this order 


Sincerely, 


Spe 


Supervisory Special Agent 


288A-AT-2141248 Serial 12 
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FEDERAL BUREAU OF INVESTIGATION 


Import Form 


Form Type: OTHER Date: 03/30/2017 


b7C 
b7E 


Case ID #: 288A-AT-2141248 (U) UNSUB (S); 
KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


M ci |] Preservation Letter for [ | | 


++ 


UNCLASSIFIED 


U.S. Department of Justice 


Federal Bureau of Investigation 


2635 Century Parkway NE 
Atlanta, Georgia 30345 
March 29, 2017 


Dear Custodian of Records: 


This letter will serve as a formal request for the 
preservation of records and other evidence pursuant to Title 18, use, 
Section 2703(f) pending further legal process. 


You are hereby requested to preserve, for a period of 90 
days, the records described below currently in media, in a form that 
includes the complete record. You also are requested not to disclose 
the existence other than is necessary to comply with this request. 
You are further requested not to terminate the account listed in this 
request if such termination is solely due to the receipt of this 
request. Further, allowing this account to remain active may assist 
Law Enforcement efforts. 


This request applies only retrospectively. It does not in 
any way obligate you to capture and preserve new information that 
arises after the date of this request. 


This preservation request applies to the following records 
and evidence: 


b6 
b7C 
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case direct an uestions you ma ave abou 1S order 
to Special Agen 


b6 
: b7C 
Sincerely, b7E 
pec 


Supervisory Special Agent 
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Form Type: UNET-EMAIL Date: 04/04/2017 


Title:(U) Email from Stephen Gay, KSU 


b3 


b7C 


O po ee 


KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


Synopsis: (U) Email from Stephen Ga CISO, KSU, dated March 21 
Enclosure(s): Enclosed are the following items: 


++ 


UNCLASSIFIED 


From: Stephen C. Gay 
21, 2017 4:15 PM 


Attachments: 


Amp | 


b6 
ovided Friday, a member of the team b7C 
in a new spreadsheet (attached) which denotes any additional b7E 


I'm passing along in 


information we may have on 
hopes that it will ultimately help you in determining whether there are 


Stephen C Gay CISSP CISA 

KSU Chief Information Security Officer & UITS Executive Director Information Security Office University 
Information Technology Services (UITS) Kennesaw State University Technology Services Bldg, Room 031 
1075 Canton Pl, MB #3503 

Kennesaw, GA 30144 

Phone: (470) 578-6620 


Fax: a 578-9050 


mm 
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FEDERAL BUREAU OF INVESTIGATION 


Date of entry 04/12/2017 


On March 30, 2017, representatives from the Atlanta Division of the 
Federal Bureau of Investigation (FBI) as well as the United States 
Attorney's Office, Northern District of Georgia (USAO-NDGA), met with 
executives of Kennesaw State University (KSU) in the KSU Presidential 
Boardroom. The individuals in attendance included: 


Federal Bureau of Investigation b3 
b6 
b7C 


Supervisory Special Agent 
Special Agent BYE 


Special Agent 


United States Attorney's Office 


Deputy Chief, Criminal Division 
Assistant United States Attorney 


Kennesaw State University 


Samuel S. Olens, President 

Lectra Lawhorne, Chief Information Officer/VPIT 

Stephen C. Gay, Chief Information Security Officer 

Merle S. King, Executive Director, Center for Election Systems 


The purpose of the meeting was for the FBI and USAO to share 
information with KSU executives related to the alleged breach of a server 


associated with elections.kennesaw.edu. 


In summary, ssa| — ]provided KSU executives with a high-level overview 


of investigative findings related to the case. SSA advised during the 


course of the investigation, the FBI provided by 
"MEME E conducted interviews. During the 


investigation, the FBI identified a security researcher who found at least 


Kennesaw, Georgia, United States (In Person) 


Investigation on 03/30 at 
Lo] u ÎI 
File 4 Date drafted 04/10/2017 b6 
b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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U) FBI/USAO-NDGA Meeting with KSU 03/30 


y 
P 


Continuation of FD-302 of 


one vulnerability associated with elections.kennesaw.edu. 
ive findings to the NDGA USAO's office who determined no 
te had been violated by the security researcher. 


the inves 


federal s 


[| 


full scope of 


President Olens advised KSU was working with a third-party 
as Georgia Tech to review the security of their servers. 


Executives „On /2017 


tigat 


tatu 


time the server may have been compromised. 


, Page 


The FBI provided 


musa | advised KSU executives due to the limited 
provided by KSU, the investigation did not encompass the 


firm as well 


the FBI and USAO's prompt investigation. 


He also praised 
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FEDERAL BUREAU OF INVESTIGATION 


Date of entry 10/23/2017 


and sal Jeonauctea a 


into an alleged compromise of the Kennesaw 
(KSU) Center for Election Systems (CES) website 


Special Agent 


Stated University 


(elections.kennesaw.edu). The 
No investigative activity has been conducted on the 


case since August 18, 2017. 


s[ ] requests the evidence item 1B-1 (one (1) Seagate 2 TB SATA HDD, 
S/N 96J2F01) 


S/N 5XW2AP34, containing image of Dell PowerEdge R610 Server, 
be transferred to case Ep 3 Once completed, the case b7A 


file will be closed. 


(Transfer of 


Atlanta, Georgia, United States (, Other 


Investigation on 10/20/2017 at Evidence) LL 
b3 


File + Date drafted 10/20/2017 b6 
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by 
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 


to be distributed outside your agency. 


